Data leaks can happen in many ways, and they’re surprisingly common. For example, a company might be hacked by cybercriminals; someone may lose their laptop with sensitive information; employee records could get lost during relocation. It doesn’t take much for sensitive information to get into the wrong hands. In fact, research has found that more than half of all data leakages come from human errors like typos and lost files.
Did you know that data leakages occur when an organisation’s confidential data is accidentally or deliberately released to people who are not authorised to access it? Data leaks don’t make it headlines as data breaches do; however, it may be equally disastrous when sensitive data falls into the wrong hands.
There could be many reasons behind why it happens, it’s not always cybercriminals fault, but they leverage such situations (design errors, misconfiguration, flaws). An important thing to remember here is that there could be very little technical knowledge involved when data leakage occurs, as all you need is a simple little click by mistake or misuse of privilege to initiate a major mishap in an organisation’s infrastructure.
What is meant by data leakage?
Data leak is a situation where data though intended to be shared within an organisation, are leaked outside the organisation. The term data leakage refers to the disclosure of data from a secure system or environment that was not meant for sharing with others who do not have access rights. One important point here is that there can be multiple causes leading to data leakage. Below we will discuss some of the common ways in which this happens.
On the contrary to the breaches, data leak does not involve any cyber attack. Due to existing weaknesses in the IT systems or organisation policies that grant unauthorised access to malicious attackers, it happens. Data Leakage includes anything from accidental human error in handling physical sources such as USB having sensitive data or unprotected hard drives, laptops, and desktops to poor data security practices. For example, the owner of an account might accidentally send personal documents to many people on his contact list instead of sending them one at a time. Or the company’s backup server is compromised, so sensitive information gets leaked out into the public domain.
Data breach vs data leak explained
A data breach occurs as a result of a security incident or when cybercriminals bypass security controls or launch a successful attack on systems, networks, applications, or data storage sources to extract, transfer, copy, modify or steal credentials, files or sensitive data. A data security breach involves unauthorised access to, disclosure of, or loss of personal data transmitted, stored or otherwise processed. It involves compromising the system through unauthorised access to gain sensitive information, including personal information, credit card information, trade/business secrets, or intellectual property data.
A fine line separates both; either it is a data breach or data leakage, both disrupt businesses and the overall company’s IT and security health.
What is data loss?
Data loss occurs when individuals or organisation’s files or data get damaged or destroyed due to intentional or accidental human or software errors.
Data loss includes sensitive information or data being stolen or corrupted through viruses, malware, physical damage, system failure, data mishandling, or due to negligence in data transmission or processing in a way that restoring the data will be of no use to both human or software.
Why do data leaks happen?
Data breaches most commonly occur because businesses cannot keep up their data security posture in check. It is down to technical risk assessment and management to ensure minimal attack surface and sufficient measures in case a security event occurs.
It could be due to missing software updates to protect against cyberattacks from attackers who exploit vulnerabilities they find in various programs like WordPress plugins and older versions of Windows Server; however, data leaks can also be caused by breaches or data theft.
Data leakage is often caused due to human error, with data being taken without authorization, either intentionally or accidentally.
For instance, due to a lack of awareness and training, an employee may leave a laptop on a train with confidential customer data stored on it (data leak). At the same time, companies can also suffer from data leaks through cyber-attacks like Ransomware that encrypts files and demands a ransom payment in Bitcoin payments.
Data leaks are one of the most common types of attacks used against corporate networks because they exploit people’s tendency to behave carelessly online and their tendency to click malicious links emailed by attackers who hijack domain names similar to legitimate domains – such as ‘googlemaillogin’ instead of googlemail.
With the rise of digital services and technologies, securing the businesses and making them resilient is getting complicated with multiple sides. Simultaneously, the organisation has to manage the operations, management, productions, and much more.
In the negligence of cybersecurity importance, companies do not consider implementing cybersecurity policies into their business plans.
Developers do not add secure SDLC process in their software; network engineers do not hold secure configuration and deployments, employee lacks the security awareness and training and fell for phishing and other scams, and often does not report about the incident IT team or management. Cybersecurity is considered an extra burden on IT budgets, or cultural issues are the main obstacles to a security-oriented approach.
All these factors lead the overall IT internal and external environment to the open door of a data leak, which later on helps and transforms into massive breaches and cyber attacks.
What causes data leakage?
Data leaks happen due to missing controls and protection. It can be leaked while data is transmitting or even when they are not in use.
There are three prominent cases of data leaks.
Data in transit: Data leak happens when data is transmitting from one end to another over the Internet with missing APIs security and different protocol or port security.
The example includes website browsing, email transfer, active communication, etc.
Data at rest: This data leak occurs when data is stored on unprotected devices and databases.
This includes the example of a file on your desktop or database without a password.
Data in use: Often, data leak happens when a miss out of the data is present on a clipboard or in any portable storage device.
How do data leaks help cybercriminals?
You must understand what data leakage is, and now it must not be difficult for you to know how any cybercriminal can get help with leaked data.
Every year thousands of breaches and security incidents happen, but what is common in them?
No matter what you term them, data or information, either Personal Information like PII or PHI or financial information such as credit card number, bank account details, etc. Since the beginning, cybercriminals are after the data, and data leakage adds value to cyber criminal’s desires.
A leaked data can provide numerous ways to cybercriminals in planning the cyber-attack or stealing the data, leaving severe consequences on any business continuity or reputation.
In this section, let’s understand how data leaks help cybercriminals?
Accidental Leaks are the most occurring data leaks in every industry. Human errors are the leading cause of this data leak.
Accidental leaks usually happen when someone unauthorised gets access to sensitive data. Since there is no cure for human mistakes, it causes a significant impact when someone gains access to sensitive or confidential information.
The most common example of an accidental data leak, due to lack of training of employees, is the confidential message or email sent to the wrong recipient or assets shared with an unauthorised person or employee unintentionally.
Suppose an employee receives a phishing email claiming to be a senior executive or reporting manager asking for a confidential document. In a hurry, the employee shares the record with the person over the email without verifying.
Although the email did not have any forged link or document, the employee still fell for the scam and handed over the confidential document and resulted in data leakage. Proper training of employees and security awareness can prevent such incidents.
Misconfigured IT systems
Misconfigured systems, applications, databases, and other IT assets add a massive impact on data leaks.
Due to such misconfiguration, systems and applications exposed critical information on unknown networks, apps, and software components. If malicious hackers encounter misconfigured errors, they can carry off multiple activities to exploit or penetrate through them.
Malicious attackers can use the leaked data such as name, address, phone number, work details, bank account details, photos, private engagements, and personal beliefs, criminal history to doxx the person or organisation.
Doxing or Doxxing stands for ‘Dropping dox’ is publicly unmasking or disclosing personal information without the individual’s prior consent.
It is used as a most common weapon in all industries beyond cybersecurity as a targeted approach to harass and harm people by exposing their personal details, private correspondence, credit card frauds, and sometimes in political vendettas. Later, other threat actors can use the publicly disclosed data in launching an attack or spying over the victims.
Cybercriminals love manipulating their targets by social engineering scams, and leak data can catalyse the attacker’s performance.
The psychographic data or employees’ information such as PII, spouse details, workplace information, work history, email address, etc.
An attacker can craft multiple social engineering attacks to manipulate or threaten the individual to perform malicious activities on his behalf or granting him authorised access.
Data leakage leading to exposing privileged credentials or susceptible information can damage the operational and business reputations.
While in the case of personal data leakage either from a third-party vendor, employee negligence, or lack of data security policies, the business might have to face legal consequences and pay huge penalties.
In case sensitive data, organisation credentials, business strategies, trade secrets, research information, etc., get into the hand of the wrong person or cybercriminal, there is a high probability they might sell the information to rivals/competitors for massive profit or on the dark web.
It would have more consequences in the latter case as one never knows what intention other criminals bought the data on the dark web and how they would use them.
Leaked credentials help cybercriminals to break into the data security of web applications and websites.
In such cases, data leakage can help attackers or individuals change account passwords, steal payment details, or initiate payment on behalf of the victim. Other circumstances might help deface the whole website, hijack the account, or hostage the business.
How to prevent data leakage?
There is no one bullet in cybersecurity that can help secure the assets and improve overall IT and security hygiene.
However, there are always ways to reduce the attack surface, and so do data leakage. It can be reduced by integrating data protection tools, software, or strategies into business and IT plans.
Other than tools, multiple best practices help to prevent data leaks and avoid any risk.
A proactive cybersecurity approach is the best tip for any organisation to be prepared. It involves a layered approach to ensure there are limits in place to reduce the impact, to contain the attack and to prevent attacks in the first place.
While preparing for data leak protection, do not forget to consider your endpoints. Most of the data leaks happen due to improper configuration and sensitive data storage on the endpoint devices such as desktop, mobile, USB, routers, etc.
Look out if the data stored on the endpoint and passing through the endpoints are giving in plain text or have proper security measures or not.
Usually, data gets leaked during transmission. Regular monitoring and keeping track of information being sent and received within and outside of your network greatly helps in data leak prevention. It also indicates suspicious behaviour and dangerous traffic coming to your network.
One of the leading causes of data leaks is insecure storage or data remaining accessible in plain text to everyone over the Internet. It is crucial to protect your data in its repository in data leak prevention, whether it is in use or not.
You can prevent data leaks by encrypting data and managing access over them. Adding authorisation or authentication also increase the protection of data leakage.
Device usage policy
Unprotected devices can also introduce data leakage threats to your confidential information. Enforce a strict device usage policy for employees and users.
A good device usage policy must include the following
- Purpose of device use
- Standard and authentic software
- Device damage and anti-theft mechanism
- Incident reporting and monitoring
- Encryption mechanism
- Device repair
Third-party risk management
Although data leakage is not directly connected to cybersecurity, it leads to breaches and other cyber attacks. 67% of data breaches take place because of third-party risk, also known as vendor risk.
Through appropriate third-party risk management, you can identify how much data is being shared and handled with the vendor, third or fourth party. This way, you can have a transparent approach to data leak protection.
By following security compliance, the framework contributes a significant part to handle data rightly and prevent data leakage. All regulatory bodies such as HIPAA, PCI DSS, GDPR, etc., have directed guidelines for every type of industry to store and manage the information.
Examples of data leak
It usually happens when there are loopholes in systems and applications or users themselves initiate such activities unknowingly. For example, it could happen due to incorrect configuration while setting up your system or application as per security policies/practices laid down by your organisation. Recently, Apache Struts vulnerability became a big problem where it was discovered that data leakage happened due to a flaw in one of the components. Such situations can be avoided if the organisation follows cybersecurity best practices and is vigilant about vulnerabilities and threats and the security configuration of systems and applications. Specifically, in the case of design flaws like Apache, it may not be controllable completely by the users or organisation; however, with a defence in depth approach, the effects of such leakages can be limited, and the resulting impact even lesser.
Twitch data leak
Twitch data leak lists leaked on the Internet have exposed information about twitch users or streamers. This includes payouts for streamers for the past couple of years.
Here is the screenshot from Twitter user @KnowS0mething:
T-mobile data leak
The famous attacker group Lapsus$ targeted T-mobile source code in 2021. This data leak included names, driver’s license number, SSN, device identification numbers such as IMEI and IMSI, former and potential customers.
Breachcmop2.0 data leak
Around 3 billion (Yes, it is correct – 3 billion!) email/password combinations were part of this Breachcomp2.0 data leak. It’s one of the largest data leaks of its kind on the dark web.
Facebook data leak
In 2018, Facebook suffered a data leakage and brought Facebook into the spotlight via Cambridge Analytica. Through an ex-employee of a British political consulting firm named Cambridge Analytica, it was exposed how Facebook had acquired more than 50 million Facebook users.
Malindo Air data leak
In 2019, Malindo Air, the Malaysian subsidiary of Indonesia’s Lion Group, became the victim of a data leak when two of its former employees improperly accessed and stole customer’s personal data and posted them online for sale.
Exactis data leak
This example of a marketing firm named Exactis exposed itself to a data leak because of an unprotected server with public access.
Due to improper configuration, the server exposed millions of customer information, including phone numbers, email addresses, and other PII (Personal Identifiable Information)
Denmark government portal data leak
A software error in the government tax portal of Denmark exposed the tax ID number of 1.26 million Danish citizens of five years.
Due to the system misconfiguration, every time taxpayer updates or their account details, the URL page adds the identifying number later collected by Adobe and Google analytics operating on the site.
Microsoft customer support data leak
In 2020, the industry-leading organisation fell victim to a data leakage when an attacker found a misconfigured access control system for the customer support database. A customer support database with over 280 million Microsoft customer records was left unprotected on the web. Microsoft says the database did not include any other personal information.
Data leakage does not itself generate any attack. However, it does provide an open path that can benefit like nothing else to the attackers if identified on time. There have been numerous leaks in the past, and undoubtedly more will occur in the future. All shared examples of data leakage are just a few of these instances.
Considering the data leakages due to human error, it is important to follow the best practices to keep your organisation safe. These include looking at your lifecycle of assets, design, configuration, builds, not sharing information without approval or purpose, and understanding what you are allowed to share before doing so. You should also encrypt any confidential information on your device and make sure you don’t share personal information over unsecured networks. As we have seen with Apache struts’ design flaw, data leakage can be hard for users/organisations to control completely but following these precautions will help limit its effects if they do occur.
If an organisation is not breached yet, it does not mean it won’t face data leakage or breaches in the future. Every other asset is just one click away from an attack. The ideal does not exist in the real world, and there is no single drug for your IT systems that can improve security hygiene except prevention and cure with security best practices.
Maintaining security and protection against known and unknown vulnerabilities and threats is an ongoing exercise. Using penetration testing, timely identification of blind spots helps you analyse your security strategy and fill its gaps while reviewing your IT and security investments. Like your business needs continuous upgrades in other departments such as marketing and sales, they need continuous protection against cyber attacks.
Get in touch with us to discuss your security concerns or free consultation to help your business.
Shahrukh, is a passionate cyber security analyst and researcher who loves to write technical blogs on different cyber security topics. He holds a Masters degree in Information Security, an OSCP and has a strong technical skillset in offensive security.